fitaiProto/docs/RELEASE_HARDENING_CHECKLIST.md

Release Hardening Checklist

This checklist is the final validation gate before shipping security and mobile API changes.

1) Pre-Release Validation

• Confirm target branch is up to date with master
• Verify no unintended files are staged (git status --short)
• Confirm release notes summarize risky changes (authz, API contracts, caching)

2) Automated Checks

Run from repository root:

npm run typecheck:admin
npm run typecheck:mobile
npm run test:admin

Run mobile API-focused tests:

cd apps/mobile
npm run test -- src/api/__tests__/gyms.test.ts src/api/__tests__/recommendations.test.ts src/api/__tests__/notifications.test.ts

3) Admin Security Spot Checks

• Verify non-admin receives 403 on privileged routes
• Verify unauthenticated requests receive 401
• Verify cross-gym actions are denied for non-superAdmin
• Verify DELETE /api/users blocks self-delete for admin users
• Verify recommendation approval derives approver from auth context (not request body)

4) Mobile Functional Smoke Checks

• Sign in as User A and load tabs/profile data
• Sign out and sign in as User B
• Confirm no User A data remains in goals, hydration, nutrition, stats, recommendations, notifications
• Confirm onboarding gym selection and profile save flow still succeed
• Confirm notifications load and unread count updates after read/delete actions

5) Rollback Plan

If release incidents occur:

1. Revert the release commit(s) from newest to oldest.
2. Redeploy reverted build.
3. Validate authentication and onboarding flows.
4. Post incident note with root cause and follow-up action.

Suggested rollback command pattern:

git revert <latest_commit_sha>
git revert <previous_commit_sha>

6) Deployment Record

Capture this in PR/release notes:

• Release date/time:
• Release owner:
• Commits included:
• Validation commands run:
• Known caveats (if any):